Symantec’s Threat Hunter team has identified a new custom backdoor called “Betruger” that has been linked to a RansomHub affiliate.
This sophisticated malware appears to have been specifically developed for ransomware operations, consolidating functionality typically distributed across multiple attack tools into a single package.
Security researchers believe this design choice aims to minimize the attacker’s footprint during intrusions by reducing the number of distinct tools required to execute a successful ransomware campaign.
Comprehensive Functionality Enhances Attack Capabilities
The Betruger backdoor incorporates an extensive array of features that facilitate various stages of the attack chain.
These capabilities include screen capture functionality, credential theft mechanisms, keylogging capabilities, network scanning tools, and privilege escalation techniques.
This comprehensive toolkit enables the threat actor to maintain persistent access while gathering sensitive information and expanding their foothold within compromised environments.
The backdoor represents a concerning evolution in ransomware tactics, as RansomHub operates as a Ransomware-as-a-Service (RaaS) platform, providing criminal affiliates with the infrastructure and tools needed to conduct attacks while sharing profits with the platform developers.
Detection and Protection Measures
Symantec has implemented multiple layers of protection against this threat across its security products.
The company’s defenses include adaptive-based detections such as ACM.Ps-RgPst!g1 and ACM.Untrst-RunSys!g1, behavior-based detection through SONAR.TCP!gen1, and file-based signatures including Backdoor.Betruger, Backdoor.Cobalt, and Ransom.Ransomhub!g1.
Additional protection is provided through machine learning-based detection with various Heur.AdvML variants.
VMware Carbon Black products also block associated malicious indicators through existing policies.
Security experts recommend implementing policies that block all types of malware from executing and delay execution for cloud scanning to maximize protection through reputation services.
Organizations are advised to ensure their security solutions are updated with the latest signatures and to implement recommended configurations to defend against this emerging threat.
![Pinterest](https://pinterest.com/pin/create/button/?url=https://cyberpress.org/ransomhub-affiliate-deploys-new-custom-backdoor/&media=https://i2.wp.com/blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqxmMLez0DI64WhXSraE7YIxKztoR5b8UI4XY0W1PfoQYVQj42SSbZq4lyiq0VHK4Yqahx5HmZdLvRox3AypMZ-j7piQR8Qqv0_WvHnl-M2SaYhjDX2cTj6J-pvA3D5scdjTgpOX9jqGPtc6k8xJzXnUlGSCihLOKsXyfcHBMCYWQt6nFJ_a8NZDQOKZA/s16000/RansomHub.webp?w=1200&resize=1200,0&ssl=1&description=Symantec's Threat Hunter team has identified a new custom backdoor called "Betruger" that has been linked to a RansomHub affiliate.){kind=link}